Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log


  • This topic is locked This topic is locked
19 replies to this topic

#1 DisNfected

DisNfected

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 18 November 2010 - 04:19 PM

Malware/Virus name: Alureon.F

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:52:47 PM, on 11/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Documents and Settings\Mom & Dad\Desktop\Virus-Malware Apps\Windows Security\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259281569481
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259282824843
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O20 - AppInit_DLLs: nazoluha.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6284 bytes

*** --- ***

Virus activity overview:

If I understand the log data correctely, it would appear that the Alureon.F virus has tapped into my registry and took over a few communicator/downloader programs (i.e., iTunes, SoundMAX, MS-Messenger) and is using those programs to send data back to a host server. Each time I attempt to use Internet Explorer, the browser is hijacked and redirected to a fake website (in my case as apparently the same for most who are infected, the fake website solicits a fake anti-virus/adware removal tool to download). When attempting to remove the adware/malware, the virus deactivates my anti-virus/anti-malware software (AVG/Windows Security Essentials/Windows Anti-Malware Tool, etc.) - or more accurately it halts them - preventing me from updating any software that potentially detects and/or removes the virus file and/or error registry keys. Upon restart of my PC, the virus rewrites itself into the registry and the process starts all over again.

I've read the HijackThis Tutorial guide and if I understand the instructions correctly, I should be able to check each item as listed in the attached data log and click the "Fix checked" button to erraticate this virus from my PC. Of course, I'll await further guidence from you kind folks who diagnose these kinds of problems professionally or merely to expand your knowledge. Either way, I patiently await your instruction on the proper way to handle this issue.

Thank you.

Attached Files


Edited by DisNfected, 18 November 2010 - 04:21 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:05 PM

Posted 18 November 2010 - 04:33 PM

Hello DisNfected, My name is Syler and I will be helping you to solve your malware issues. Please note because we are very busy, if I don't hear from you within 5 days the topic will be closed, If you have since resolved your issues I would appreciate if you would let me no so I can close this topic.


Download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If any suspicious items are found, let it skip them for now
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

unite.jpg


#3 DisNfected

DisNfected
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 18 November 2010 - 04:52 PM

Thank you, Syler (nice screen name, btw...watch "Heros" much...loved the show!)

I'm currently at work, but I downloaded the TDSSKiller.zip file to my flash drive and will run the program once I get home in about 2.5 hrs, then report back.

Thanks again. I'm anxious to get rid of this virus once and for good!

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:05 PM

Posted 18 November 2010 - 05:26 PM

Your welcome, I will probably be asleep when you post the results, but I will get back to you tomorrow with some more instructions.

unite.jpg


#5 DisNfected

DisNfected
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 18 November 2010 - 07:13 PM

I'm home and ran the TDSSKiller software on the affected PC and the only problem it found was as outlined below w/accompanying fix message at the end of the error string:

"c:\windows\system32\drivers\atapi.sys - will be cured after reboot"

I assume I should reboot at this point; awaiting further clarifying instructions.

(Note: I disconnected my Internet connection to the affected PC and temporarily disabled my anti-virus software prior to running TDSSKiller. That seemed to provide a clean sweep of the system, but I'm wondering should I have booted my PC in safe mode prior to running TDSSKiller or am I over-thinking the cleansing process? I ask because other anti-malware programs I've tried suggested running Windows XP in safe mode prior to attempting repairs.)

Edited by DisNfected, 18 November 2010 - 07:18 PM.


#6 DisNfected

DisNfected
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 18 November 2010 - 08:03 PM

Guess it pays to read the instructions carefully.

I found the TDDSKiller log. The data is as follows:

2010/11/18 17:51:07.0250 TDSS rootkit removing tool 2.4.8.0 Nov 17 2010 07:23:12
2010/11/18 17:51:07.0250 ================================================================================
2010/11/18 17:51:07.0250 SystemInfo:
2010/11/18 17:51:07.0250
2010/11/18 17:51:07.0250 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/18 17:51:07.0250 Product type: Workstation
2010/11/18 17:51:07.0250 ComputerName: BROWN-LANIER
2010/11/18 17:51:07.0250 UserName: Mom & Dad
2010/11/18 17:51:07.0250 Windows directory: C:\WINDOWS
2010/11/18 17:51:07.0250 System windows directory: C:\WINDOWS
2010/11/18 17:51:07.0250 Processor architecture: Intel x86
2010/11/18 17:51:07.0250 Number of processors: 2
2010/11/18 17:51:07.0250 Page size: 0x1000
2010/11/18 17:51:07.0250 Boot type: Normal boot
2010/11/18 17:51:07.0250 ================================================================================
2010/11/18 17:51:07.0593 Initialize success
2010/11/18 17:51:18.0734 ================================================================================
2010/11/18 17:51:18.0734 Scan started
2010/11/18 17:51:18.0734 Mode: Manual;
2010/11/18 17:51:18.0734 ================================================================================
2010/11/18 17:51:19.0484 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/18 17:51:19.0546 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/18 17:51:19.0625 aeaudio (e696e749bedcda8b23757b8b5ea93780) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/11/18 17:51:19.0671 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/18 17:51:19.0734 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/18 17:51:19.0765 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/11/18 17:51:20.0109 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/18 17:51:20.0156 atapi (efd553e411b7f9f809118c751a4429e3) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/18 17:51:20.0156 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: efd553e411b7f9f809118c751a4429e3, Fake md5: 9f3a2f5aa6875c72bf062c712cfa2674
2010/11/18 17:51:20.0171 atapi - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/11/18 17:51:20.0250 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/18 17:51:20.0296 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/18 17:51:20.0375 AVGIDSDriver (0c61f066f4d94bd67063dc6691935143) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
2010/11/18 17:51:20.0437 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2010/11/18 17:51:20.0468 AVGIDSFilter (28d6adcd03e10f3838488b9b5d407dd4) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
2010/11/18 17:51:20.0500 AVGIDSShim (0eb16f4dbbb946360af30d2b13a52d1d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
2010/11/18 17:51:20.0546 Avgldx86 (1119e5bec6e749e0d292f0f84d48edba) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
2010/11/18 17:51:20.0578 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
2010/11/18 17:51:20.0609 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
2010/11/18 17:51:20.0671 Avgtdix (2fd3e3a57fb90679a3a83eeed0360cfd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
2010/11/18 17:51:20.0812 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/18 17:51:20.0906 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/18 17:51:20.0984 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/18 17:51:21.0046 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/18 17:51:21.0078 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/18 17:51:21.0359 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/18 17:51:21.0421 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/18 17:51:21.0484 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/18 17:51:21.0531 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/18 17:51:21.0593 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/18 17:51:21.0687 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/18 17:51:21.0750 EL2000 (d0c7f8ca97d16263d434d943b4b7004f) C:\WINDOWS\system32\DRIVERS\EL2K_XP.sys
2010/11/18 17:51:21.0843 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/18 17:51:21.0875 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/11/18 17:51:21.0921 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/18 17:51:21.0953 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/11/18 17:51:22.0015 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/11/18 17:51:22.0109 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/18 17:51:22.0171 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/18 17:51:22.0203 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/11/18 17:51:22.0265 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/18 17:51:22.0390 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/18 17:51:22.0515 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/18 17:51:22.0546 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/18 17:51:22.0656 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/11/18 17:51:22.0687 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/11/18 17:51:22.0750 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/18 17:51:22.0781 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/18 17:51:22.0812 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/18 17:51:22.0859 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/18 17:51:22.0906 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/18 17:51:22.0953 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/18 17:51:23.0000 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/18 17:51:23.0046 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/18 17:51:23.0093 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/18 17:51:23.0218 MBAMSwissArmy (c7dd7d9739785bd3a6b8499eec1dee7e) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010/11/18 17:51:23.0296 MidiSyn (63c34814492aa65fc517b002de77b191) C:\WINDOWS\system32\drivers\MidiSyn.sys
2010/11/18 17:51:23.0406 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/18 17:51:23.0453 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/18 17:51:23.0468 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/18 17:51:23.0500 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/18 17:51:23.0593 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/18 17:51:23.0671 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/18 17:51:23.0750 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/18 17:51:23.0796 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/18 17:51:23.0828 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/18 17:51:23.0859 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/18 17:51:23.0906 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/18 17:51:23.0953 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/18 17:51:24.0015 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/18 17:51:24.0046 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/18 17:51:24.0109 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/18 17:51:24.0140 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/18 17:51:24.0171 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/18 17:51:24.0203 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/18 17:51:24.0265 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/18 17:51:24.0359 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/18 17:51:24.0437 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/18 17:51:24.0593 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/18 17:51:24.0718 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/11/18 17:51:24.0828 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/18 17:51:24.0859 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/18 17:51:24.0921 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/18 17:51:24.0968 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/18 17:51:25.0015 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/18 17:51:25.0046 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/18 17:51:25.0140 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/18 17:51:25.0187 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/18 17:51:25.0484 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/18 17:51:25.0531 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/11/18 17:51:25.0562 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/18 17:51:25.0625 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/18 17:51:25.0656 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/11/18 17:51:25.0843 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/18 17:51:25.0890 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/18 17:51:25.0921 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/18 17:51:25.0953 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/18 17:51:26.0000 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/18 17:51:26.0031 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/18 17:51:26.0109 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/18 17:51:26.0156 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/18 17:51:26.0265 RT73 (bf4709c002d632170dc15a282813d6b3) C:\WINDOWS\system32\DRIVERS\rt73.sys
2010/11/18 17:51:26.0375 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/18 17:51:26.0421 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/18 17:51:26.0468 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/18 17:51:26.0500 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/18 17:51:26.0625 smwdm (7d9b50329af9fd94b0529282530d2cb7) C:\WINDOWS\system32\drivers\smwdm.sys
2010/11/18 17:51:26.0718 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/18 17:51:26.0781 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/18 17:51:26.0859 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/18 17:51:26.0906 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/18 17:51:26.0953 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/18 17:51:27.0125 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/18 17:51:27.0218 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/18 17:51:27.0281 Tcpip6 (fb9f32acc1d3ad523f7ec900b66fc1bb) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
2010/11/18 17:51:27.0343 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/18 17:51:27.0375 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/18 17:51:27.0406 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/18 17:51:27.0515 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
2010/11/18 17:51:27.0546 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/18 17:51:27.0656 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/18 17:51:27.0734 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/18 17:51:27.0765 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/18 17:51:27.0796 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/18 17:51:27.0828 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/11/18 17:51:27.0859 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/18 17:51:27.0921 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/18 17:51:27.0984 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/18 17:51:28.0093 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/18 17:51:28.0265 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/11/18 17:51:28.0328 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/11/18 17:51:28.0546 ================================================================================
2010/11/18 17:51:28.0546 Scan finished
2010/11/18 17:51:28.0546 ================================================================================
2010/11/18 17:51:28.0578 Detected object count: 1
2010/11/18 17:57:56.0609 atapi (efd553e411b7f9f809118c751a4429e3) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/18 17:57:56.0609 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: efd553e411b7f9f809118c751a4429e3, Fake md5: 9f3a2f5aa6875c72bf062c712cfa2674
2010/11/18 17:57:58.0062 Backup copy found, using it..
2010/11/18 17:57:58.0093 C:\WINDOWS\system32\DRIVERS\atapi.sys - will be cured after reboot
2010/11/18 17:57:58.0093 Rootkit.Win32.TDSS.tdl3(atapi) - User select action: Cure
2010/11/18 18:28:59.0781 Deinitialize success

Again, thanks well in advance for the assist.

Attached Files



#7 DisNfected

DisNfected
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 19 November 2010 - 01:20 AM

Well, what do you know...it worked!

The Alureon.F virus is no more!! YIPPY!!!

Thank you, Thank you, Thank you!!! I've been working on the infected computer for nearly 2-weeks trying to clean the Alureon.F and Vundo.B viruses from it. I was able to cleaned the Vundo.B virus using HijackThis, v2.0.4, but the Alureon.F virus was persistent! I was finally able to run Windows Updates, as well as update all my other anti-virus/malware applications, i.e., MS Windows Essentials 2011, Windows Defender and Advanced SystemCure-Free Ed.). Feels good to finally accomplish this problem.

Thanks again, Syler. Very much appreciate the assist!

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:05 PM

Posted 19 November 2010 - 04:20 AM

Good to hear it worked, let's do some more checks to make sure their is nothing else lurking on your system.


We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.

    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

unite.jpg


#9 DisNfected

DisNfected
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 19 November 2010 - 11:11 AM

I'm at work presently, so I'll run the OTL report when I get home. I want to share with the readers the steps I took to resolve this matter up to this point. I think it's important to clarify the process so that others who might be having this same problem can perhaps take the same or similar action steps to resolve their visus problem.

Note: All anti-spyware/malware/virus programs are "freeware" except as indicated.

As stated previously, the two viruses I encountered were Vundo.B and Alureon.F. (I assume the alphabetic filename extention represents the latest encursion of the aforementioned viruses.) Initially, I ran my AVG Anti-Virus program (2011 ver), but as reported in the OP it didn't catch the virus. My Windows Updates was turned off by one of the viruses, so I wasn't getting any Windows security updates. I hadn't installed Windows Essentials nor Windows Defender at the time either. However, I did have PC Tools Registry Mechanic installed on the affected computer, but it wasn't finding the affected registry keys. I knew Internet Explorer was also affected, so I tried to update the browser to the latest version, but it wouldn't take.

After researching the symptoms of my virus problem further, it was recommended that I run Malwarebytes. This software found both viruses, but was only able to clean the Vundo.B virus. From here, I installed and ran both Windows Essentials and Windows Defender. Unfortunately, neither of these programs worked, but I believe that was because I still wasn't able to download Windows security updates. So, it was back to the drawing board...more research.

I learned about HijackThis (v2.0.4) and Advanced SystemCare (ASC, v.2.0.0.4) from CNET.com. So, I installed and ran both programs starting with HiJackThis which provided me with the diagnosic report found in the OP. It should be noted at this point prior to running this software, I unplugged my internet connection and temporarily disabled my AVG Anti-virus software as I had recalled reading that people with simimar virus symptoms had done the same thing to prevent the virus from "seeing" their anti-virus software at reboot. I was surprised at the results HiJackThis revealed because as I clicked on the "Info on selected item" button for each item reported, at the bottom of each error report the solution seemded to be that the program would correct the registry error once I restarted Windows w/o having to used the "Fix checked" button. So, I restarted Windows and most of the errors were corrected.

I then ran ASC and it caught several registry, spyware, junk file and HD defrag errors the other programs missed. AND it corrected the problems automatically. (Note: Unfortunately, I wasn't aware of how successful this program had been at fixing most of the remaining registry and file errors until after I had returned home yesterday evening as I had begun the ACS scan that morning prior to going to work.) I then posted the HiJackThis log here and followed Syler's advice from there on. Except for taking the final step and running the OTL report, the only other things I did once the Alureon.F virus was finally removed (or it appears to have been anyway at this stage) were:

- Run Windows Update to get all current Windows security fixes including those for Windows Essentials 2011 and Windowns Defender.
- Update my AVG Anti-Virus.
- Run a complete anti-virus scan and followed that scan up by running both Windows Essentials and Defender.
- Reschedule Windows Update, Essentials, Defender and AVG to update and run scans daily.
- Changed my file scan protocals in the aforementioned anti-virus/malware/spyware programs to also scan media files. From reviewing the HiJackThis log, it became apparent to me that these are the types of programs hackers look for as they apparently are the most vunerable and are often used as a "backdoor" to send feedback to a remote server concerning information on most computers. I can't stress enough the importance of making this change in your file scanning protocals!!
- Used the "start-up" configurations in ACS to stop all media and communicator programs from loading when Windows XP starts, ie., iTunes, SoundMAX, all instant messeger communicators (i.e., AIM, Yahoo Messenger, Windows Messenger, ICQ, etc.) I used ACS to do this because I couldn't find these programs listed in my "Programs>Start" menu.

And that's about it, folks. It took alot to clean these viruses from my computer (or atleast get it to where it's running somewhat normally again). I thank you, Syler, for helping to get me to the final cleaning stage. In summary, I would suggest the following security measures for Windows XP Home and/or Professional users:

- Keep your anti-virus software updated and schedule daily scans and program updates. Force manual scans/updates as necessary or whenever you suspect a problem with your computer.
- Set your Windows Update to check for updates daily.
- Install both Windows Essentials and Windows Defender. You could set these programs to search for updates daily, but any updates they may have will come with Windows Updates anyway. Therefore, I would recommend setting these programs up for daily scans only and let Windows Update provide the necessary individual program updates.
- Install Advanced SystemCare and set it to scan for updates daily, but run scans regularly. For me, it has been the best registry/junk file/HD maintenance program I have used to date - better than PC Tools Registry Mechanic tool - and it corrects most problems automatically.

Good Luck to all! And thanks again to Syler for your help. Keep up the good work because hackers never take an off day.

One last thing...

I noticed also that Adobe Acrobat Reader would also pop-up and/or download updates by itself. This hasn't happened since I was able to remove the viruses. So, I'm wondering would it be better to obtain Adobe Reader updates directly from their website? It would appear the Adobe downloader(s) also have a vunerability.

Edited by DisNfected, 19 November 2010 - 11:35 AM.


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:05 PM

Posted 19 November 2010 - 02:09 PM

HiDisNfected,

I know you are only trying to be helpful with your advice, but when cleaning malware, each computer should be look at on an individual basis, as different people will have different machines and circumstances, their are also lot's of different malware variants, that may need to be dealt with differently.

Running updated scans with Malwarebytes and your installed AV is always a good idea, but they may not always catch everything. We do not recommend running registry cleaning programs, unless you know about the registry and what it is you are removing, as modifying the registry can cause irreparable damage to your Operating System. It is also not recommended to update the operating system whilst you are infected, as doing so can also cause more damage to the OS.

Running Hijackthis to fix entries should only be done if you know how to use it properly, a guide to explain Hijackthis and how to use it can be found here. When you click the "Info on selected item" button in Hijackthis, it does not tell you what action it has already taken, it explain what action will be taken if you click the "Fix checked" button and you should never select all the entries in Hijackthis to fix, as most of the entries in HJT are usually legitimate and removing them all, will cause more problems.

Edited by syler, 19 November 2010 - 02:10 PM.

unite.jpg


#11 DisNfected

DisNfected
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 19 November 2010 - 04:13 PM

Syler,

Very good points. Of course, I defer to your expertise, as well as that of other software specialist herein. I hope yourself and the readers don't misinterpret my suggested security steps particularly at the end of my last post. These are things I believe everyone should do only after ensuring they have their virus problem resolved. For as you can see, I tried running most of the security procedures while unaware of just how heavily infected my PC was and look at where it got me? So, no. I wouldn't dare attempt to lead from a position where I have little to no expertise.

As to the HiJackThis log results, I'm still confused as to exactly how to use the "Fix checked" button. I have the guide and have been reading up on the program. Still, I was amazed that I didn't have to use the "Fix checked" button after I ran the initial scan. The program found the errors and fixed most of them itself once I rebooted my system. Still, for non-code writers/novice users of the software like myself, I think it wise to just let the program do the repairs and/or defer to the professional expertise of folks like yourself in a pinch.

Again, I thank you. I'll run the OTL report this evening and post the results for your review.

Edited by DisNfected, 19 November 2010 - 04:16 PM.


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:05 PM

Posted 19 November 2010 - 05:20 PM

Some of the points you made were good points, like updating and running your scanners, as sometimes this may be able to solve your problems, but as you have experienced, some malware can stop you from doing these things.

Also, updating Windows and other programs such as Adobe and Java, is probably the most important of all, as a lot of malware gets on to computers, by exploiting the vulnerabilities in an unpatched OS or programs.

As for Hijackthis, I know that it does not have any auto fix feature, so I can only speculate as to what might of happened. If you had run another program that had fixed them entries, but it had set them to be removed on the next normal boot. You had then rebooted and gone into safe mode to run HJT and the entries were still there, because you had not done a normal boot yet. You then booted normally and the entries then got removed by the other program, so they were no longer showing in HJT.

unite.jpg


#13 DisNfected

DisNfected
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 19 November 2010 - 07:33 PM

OTL.txt file is as follows:

OTL logfile created on: 11/19/2010 6:05:40 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Mom & Dad\Desktop\Virus-Malware Apps\Windows Security
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 139.00 Mb Available Physical Memory | 27.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 50.79 Gb Total Space | 4.37 Gb Free Space | 8.60% Space Free | Partition Type: NTFS
Drive D: | 23.73 Gb Total Space | 22.38 Gb Free Space | 94.32% Space Free | Partition Type: FAT32
Drive K: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive L: | 3.74 Gb Total Space | 2.99 Gb Free Space | 79.98% Space Free | Partition Type: FAT32

Computer Name: BROWN-LANIER | User Name: Mom & Dad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/19 10:30:34 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mom & Dad\Desktop\Virus-Malware Apps\Windows Security\OTL.exe
PRC - [2010/10/11 12:58:12 | 006,104,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2010/10/11 12:58:12 | 000,725,072 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2010/10/06 17:24:38 | 000,652,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe
PRC - [2010/10/06 17:24:36 | 001,065,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgnsx.exe
PRC - [2010/10/06 17:24:08 | 000,845,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgcsrvx.exe
PRC - [2010/10/06 17:24:08 | 000,647,008 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe
PRC - [2010/09/28 21:33:02 | 002,407,632 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
PRC - [2010/09/15 05:29:10 | 002,745,696 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe
PRC - [2010/09/10 01:45:22 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe
PRC - [2010/09/07 03:50:22 | 001,047,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgemcx.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2010/11/19 10:30:34 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mom & Dad\Desktop\Virus-Malware Apps\Windows Security\OTL.exe
MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2009/07/12 01:12:06 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
MOD - [2009/07/12 01:09:20 | 000,554,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
MOD - [2008/04/13 11:37:57 | 000,208,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rsaenh.dll
MOD - [2006/11/03 19:20:00 | 000,083,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MpShHook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/10/11 12:58:12 | 006,104,656 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2010/10/06 11:31:48 | 000,517,448 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2010/09/10 01:45:22 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2010/09/13 16:27:24 | 000,025,680 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2010/09/07 03:49:00 | 000,298,448 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2010/09/07 03:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2010/09/07 03:48:54 | 000,249,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010/09/07 03:48:50 | 000,026,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2010/08/19 21:42:38 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2010/08/19 21:42:36 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/08/19 21:42:34 | 000,026,192 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/02/11 06:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2005/08/02 22:00:36 | 000,232,192 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
DRV - [2004/08/03 23:29:54 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/07/17 09:22:10 | 000,147,328 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\EL2K_XP.sys -- (EL2000)
DRV - [2002/09/19 20:53:34 | 000,235,100 | ---- | M] (Analog Devices Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1202660629-1482476501-839522115-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-1202660629-1482476501-839522115-1008\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-1202660629-1482476501-839522115-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1202660629-1482476501-839522115-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50370

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.msn.com/"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1151
FF - prefs.js..extensions.enabledItems: avg@igeared:6.010.006.004
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 50370
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG10\Firefox\ [2010/11/12 11:43:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\avg@igeared: C:\Program Files\AVG\AVG10\Toolbar\Firefox\avg@igeared [2010/11/12 11:45:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/19 17:01:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/19 17:01:05 | 000,000,000 | ---D | M]

[2010/01/25 19:28:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mom & Dad\Application Data\Mozilla\Extensions
[2010/01/25 19:28:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mom & Dad\Application Data\Mozilla\Firefox\Profiles\ve9mvbdr.default\extensions
[2010/01/13 23:40:43 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2003/03/31 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-1202660629-1482476501-839522115-1008\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1202660629-1482476501-839522115-1008..\Run: [Advanced SystemCare 3] C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1202660629-1482476501-839522115-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1202660629-1482476501-839522115-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259281569481 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259282824843 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 69.1.30.43 69.1.30.42
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - AppInit_DLLs: (nazoluha.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Mom & Dad\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Mom & Dad\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/11/26 17:21:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/04/25 19:32:50 | 000,000,090 | ---- | M] () - D:\AUTORUN.INF -- [ FAT32 ]
O32 - AutoRun File - [2008/05/06 06:26:23 | 000,000,309 | R--- | M] () - K:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{38168598-ee0f-11de-aca3-00173f165f3a}\Shell - "" = AutoRun
O33 - MountPoints2\{38168598-ee0f-11de-aca3-00173f165f3a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{38168598-ee0f-11de-aca3-00173f165f3a}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -- [2007/10/23 01:45:39 | 001,336,632 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.VP60 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.VP61 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/11/18 21:44:19 | 000,974,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42.dll
[2010/11/18 21:44:19 | 000,953,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll
[2010/11/18 21:43:50 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2010/11/18 21:43:31 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2010/11/18 21:42:18 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/11/18 21:40:20 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2010/11/18 17:51:00 | 001,339,480 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Mom & Dad\Desktop\TDSSKiller.exe
[2010/11/18 06:58:57 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2010/11/18 06:58:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Application Data\IObit
[2010/11/17 20:49:10 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\rxpzioik.sys
[2010/11/17 19:04:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Desktop\Virus-Malware Apps
[2010/11/17 07:28:33 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\jnngbkof.sys
[2010/11/17 01:09:55 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/11/16 23:42:20 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2010/11/16 22:02:02 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\pwlxiyln.sys
[2010/11/16 20:49:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010/11/13 12:03:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Application Data\Malwarebytes
[2010/11/13 12:03:45 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/13 12:03:43 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/11/13 12:03:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/11/13 12:03:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/11/12 17:47:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\My Documents\Documents
[2010/11/12 15:45:49 | 000,000,000 | ---D | C] -- C:\Program Files\Free Window Registry Repair
[2010/11/12 15:20:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Local Settings\Application Data\PackageAware
[2010/11/12 14:59:32 | 015,633,288 | ---- | C] (PC Tools ) -- C:\Documents and Settings\Mom & Dad\Desktop\rminstall.exe
[2010/11/12 11:45:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/11/12 11:42:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\AVG
[2010/11/12 00:44:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2010/11/11 21:31:21 | 000,000,000 | ---D | C] -- C:\Program Files\MSN
[2010/11/11 21:31:11 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/11/11 21:30:44 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/11/11 18:09:59 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Mom & Dad\My Documents\My Videos
[2010/11/11 13:40:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8(2)
[2010/11/11 09:56:27 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/11/11 08:26:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Application Data\DivX
[2010/11/11 08:26:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\My Documents\DivX Movies
[2010/11/11 07:11:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\My Documents\Downloads
[2010/11/09 09:17:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Desktop\Carl
[2010/11/09 09:07:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Desktop\Mark
[2010/11/09 08:57:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Desktop\Desiree
[2010/11/09 06:45:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Local Settings\Application Data\AVG Security Toolbar
[2010/11/09 06:35:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Desktop\Courtney
[2010/11/08 21:25:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Application Data\AVG
[2010/11/08 20:15:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Application Data\AVG10
[2010/11/08 20:13:17 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2010/11/08 20:11:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2010/11/08 19:48:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/11/07 16:28:30 | 000,012,536 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx(2)(2).dll
[2010/11/06 13:03:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Local Settings\Application Data\Apple
[2010/11/06 12:51:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Application Data\U3

========== Files - Modified Within 30 Days ==========

[2010/11/19 18:00:00 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\vafhdasb.job
[2010/11/19 17:41:03 | 000,000,396 | ---- | M] () -- C:\WINDOWS\tasks\AVG PC Tuneup 2011 Integrator Start On Windows Logon.job
[2010/11/19 17:08:59 | 000,013,738 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/19 17:08:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/19 07:46:29 | 099,632,045 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2010/11/18 23:39:54 | 000,109,400 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/11/18 22:58:44 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/11/18 19:00:00 | 000,000,262 | ---- | M] () -- C:\WINDOWS\tasks\RMSchedule.job
[2010/11/18 06:59:04 | 000,000,874 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
[2010/11/17 20:49:10 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\rxpzioik.sys
[2010/11/17 07:28:33 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\jnngbkof.sys
[2010/11/17 07:24:00 | 001,339,480 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Mom & Dad\Desktop\TDSSKiller.exe
[2010/11/16 22:02:02 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\pwlxiyln.sys
[2010/11/13 12:03:48 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/12 15:45:51 | 000,000,718 | ---- | M] () -- C:\Documents and Settings\Mom & Dad\Desktop\Free Window Registry Repair.lnk
[2010/11/12 14:59:39 | 015,633,288 | ---- | M] (PC Tools ) -- C:\Documents and Settings\Mom & Dad\Desktop\rminstall.exe
[2010/11/11 06:41:17 | 000,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/11 06:41:17 | 000,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/08 21:00:40 | 000,000,830 | ---- | M] () -- C:\Documents and Settings\Mom & Dad\Desktop\AVG PC Tuneup 2011.lnk
[2010/11/07 17:28:09 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\Mom & Dad\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/11/07 16:28:30 | 000,012,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx(2)(2).dll
[2010/11/06 13:32:15 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Mom & Dad\Desktop\My Computer.lnk
[2010/11/06 12:15:16 | 000,003,071 | ---- | M] () -- C:\WINDOWS\Ascd_tmp.ini

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\fanijowu
[2010/11/19 07:46:29 | 099,632,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2010/11/18 06:59:04 | 000,000,874 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
[2010/11/13 12:03:48 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/12 15:45:51 | 000,000,718 | ---- | C] () -- C:\Documents and Settings\Mom & Dad\Desktop\Free Window Registry Repair.lnk
[2010/11/12 15:02:37 | 000,000,262 | ---- | C] () -- C:\WINDOWS\tasks\RMSchedule.job
[2010/11/12 01:17:54 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Mom & Dad\S-1-5-21-1202660629-1482476501-839522115-1008.rrr.LOG
[2010/11/08 21:00:56 | 000,000,396 | ---- | C] () -- C:\WINDOWS\tasks\AVG PC Tuneup 2011 Integrator Start On Windows Logon.job
[2010/11/08 21:00:40 | 000,000,830 | ---- | C] () -- C:\Documents and Settings\Mom & Dad\Desktop\AVG PC Tuneup 2011.lnk
[2010/11/07 17:28:09 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\Mom & Dad\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/11/06 13:32:15 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Mom & Dad\Desktop\My Computer.lnk
[2009/12/01 18:38:30 | 000,003,071 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/12/01 18:38:29 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2009/11/26 09:02:02 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/10/22 12:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 12:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/22 12:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 12:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 12:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/22 12:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/22 12:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/10/22 12:22:00 | 000,000,862 | ---- | C] () -- C:\WINDOWS\System32\setup.ini

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\*. /mp /s >

< %SYSTEMDRIVE%\*.exe >

========== Alternate Data Streams ==========

@Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

< End of report >

Extra.txt file is as follows:

OTL Extras logfile created on: 11/19/2010 6:05:40 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Mom & Dad\Desktop\Virus-Malware Apps\Windows Security
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 139.00 Mb Available Physical Memory | 27.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 50.79 Gb Total Space | 4.37 Gb Free Space | 8.60% Space Free | Partition Type: NTFS
Drive D: | 23.73 Gb Total Space | 22.38 Gb Free Space | 94.32% Space Free | Partition Type: FAT32
Drive K: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive L: | 3.74 Gb Total Space | 2.99 Gb Free Space | 79.98% Space Free | Partition Type: FAT32

Computer Name: BROWN-LANIER | User Name: Mom & Dad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1202660629-1482476501-839522115-1008\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Ares\Ares.exe" = C:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows -- (Ares Development Group)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\THQ\Dawn Of War\W40k.exe" = C:\Program Files\THQ\Dawn Of War\W40k.exe:*:Enabled:W40k -- (THQ Canada Inc.)
"C:\Program Files\THQ\Dawn Of War\W40kWA.exe" = C:\Program Files\THQ\Dawn Of War\W40kWA.exe:*:Enabled:W40kWA -- (THQ Canada Inc.)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Explorer -- (Microsoft Corporation)
"C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" = C:\Program Files\Analog Devices\SoundMAX\SMax4.exe:*:Enabled:Smax4 -- (Analog Devices, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\AVG\AVG10\avgdiagex.exe" = C:\Program Files\AVG\AVG10\avgdiagex.exe:*:Enabled:AVG Diagnostics 2011 -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG10\avgnsx.exe" = C:\Program Files\AVG\AVG10\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG10\avgemcx.exe" = C:\Program Files\AVG\AVG10\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0323CB96-221A-4042-84A3-93EDE47099FC}" = AVG 2011
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1A258E63-8DF5-4ADB-9832-38A0121D65EB}" = AVG 2011
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 17
"{2D37F6AE-D201-4580-B91A-6BF9BB93ED2D}" = The Sims™ 2 Double Deluxe
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1" = AVG PC Tuneup 2011
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.5
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{D0B36BAF-3E9D-423E-8821-ED238C18DB0A}" = Warhammer 40,000: Dawn Of War - Gold Edition
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"Ares" = Ares 2.1.2
"AVG" = AVG 2011
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"Free Window Registry Repair" = Free Window Registry Repair
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.5.15)" = Mozilla Firefox (3.5.15)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"uTorrent" = µTorrent
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/19/2010 7:00:35 PM | Computer Name = BROWN-LANIER | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 11/19/2010 7:00:37 PM | Computer Name = BROWN-LANIER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 11/19/2010 7:01:08 PM | Computer Name = BROWN-LANIER | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 11/19/2010 7:01:09 PM | Computer Name = BROWN-LANIER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 11/19/2010 7:01:12 PM | Computer Name = BROWN-LANIER | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 11/19/2010 7:01:12 PM | Computer Name = BROWN-LANIER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/19/2010 7:01:12 PM | Computer Name = BROWN-LANIER | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 11/19/2010 7:01:12 PM | Computer Name = BROWN-LANIER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/19/2010 7:01:13 PM | Computer Name = BROWN-LANIER | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 11/19/2010 7:01:13 PM | Computer Name = BROWN-LANIER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 11/17/2010 8:38:15 PM | Computer Name = BROWN-LANIER | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 11/18/2010 8:30:09 AM | Computer Name = BROWN-LANIER | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 11/18/2010 8:30:09 AM | Computer Name = BROWN-LANIER | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 11/18/2010 8:30:10 AM | Computer Name = BROWN-LANIER | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Themes service to connect.

Error - 11/18/2010 8:30:10 AM | Computer Name = BROWN-LANIER | Source = Service Control Manager | ID = 7000
Description = The Themes service failed to start due to the following error: %%1053

Error - 11/18/2010 9:55:30 AM | Computer Name = BROWN-LANIER | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Themes service to connect.

Error - 11/18/2010 9:55:30 AM | Computer Name = BROWN-LANIER | Source = Service Control Manager | ID = 7000
Description = The Themes service failed to start due to the following error: %%1053

Error - 11/18/2010 9:55:30 AM | Computer Name = BROWN-LANIER | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the DHCP Client service to
connect.

Error - 11/18/2010 9:55:30 AM | Computer Name = BROWN-LANIER | Source = Service Control Manager | ID = 7000
Description = The DHCP Client service failed to start due to the following error:
%%1053

Error - 11/18/2010 8:30:19 PM | Computer Name = BROWN-LANIER | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.


< End of report >

Attached Files



#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:05 PM

Posted 20 November 2010 - 09:03 AM

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and updates. Download and install the latest version of Java from here, Once you have installed the latest Java, run JavaRa to clean up your old remnants.

Please download JavaRa and unzip it to your desktop.
Then Print these instructions as you won't have Internet access during this particular phase.

Close any instances of Internet Explorer before continuing
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English or the appropriate language...and click on Select.
  • JavaRa will open; Select Remove Older Versions, click yes, then ok.
  • A logfile will pop up, you can close it.
  • Now select Additional Tasks and check the following:

    Remove Useless JRE Files
    Remove Startup Entry

  • Click Go then ok to all the prompts, once done restart your computer.



Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
    IE - HKU\S-1-5-21-1202660629-1482476501-839522115-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50370  
    FF - prefs.js..network.proxy.http: "127.0.0.1"
    FF - prefs.js..network.proxy.http_port: 50370
    FF - prefs.js..network.proxy.type: 4
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
    O20 - AppInit_DLLs: (nazoluha.dll) - File not found
    [2010/11/17 20:49:10 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\rxpzioik.sys
    [2010/11/17 07:28:33 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\jnngbkof.sys
    [2010/11/16 22:02:02 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\pwlxiyln.sys
    [2010/11/19 18:00:00 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\vafhdasb.job
    [2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\fanijowu
    :Commands
    [emptytemp]
    [emptyflash]
    
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run a new OTL scan by clicking Run Scan and post the new OTL log.



Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the Posted Image button.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


Then in your next reply, please let me know if you are having any more problems and post back here with the following logs:

  • OTL results
  • New OTL log
  • ESET report

Thanks

unite.jpg


#15 DisNfected

DisNfected
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 20 November 2010 - 03:17 PM

I followed the instructions to the letter. However, once the ESET OnlineScan was complete, I didn't see a way to save the scan results to a file. So, I wrote down the 2 infections the scan found:

- WMA/TrojanDownloader.getCodec.gen

ESET action: quarantined

- Win32/Adware.SuperJuan

ESET action: deleted

The results of the two OTL log reports are attached. The first OTL log is "New OTL Report-11202010-113030" which was conducted immediately after updating to JavaRuntime 6.22. The results of this scan are posted below:

All processes killed
========== OTL ==========
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-21-1202660629-1482476501-839522115-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Prefs.js: "127.0.0.1" removed from network.proxy.http
Prefs.js: 50370 removed from network.proxy.http_port
Prefs.js: 4 removed from network.proxy.type
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:nazoluha.dll deleted successfully.
C:\WINDOWS\system32\drivers\rxpzioik.sys moved successfully.
C:\WINDOWS\system32\drivers\jnngbkof.sys moved successfully.
C:\WINDOWS\system32\drivers\pwlxiyln.sys moved successfully.
C:\WINDOWS\tasks\vafhdasb.job moved successfully.
C:\WINDOWS\system32\fanijowu moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Carl

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Mark
->Temporary Internet Files folder emptied: 1188105 bytes

User: Mom & Dad
->Temp folder emptied: 171167865 bytes
->Temporary Internet Files folder emptied: 99275237 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 52299581 bytes
->Flash cache emptied: 1250 bytes

User: NetworkService
->Temp folder emptied: 77298 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 172493 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 993708 bytes
RecycleBin emptied: 7673054 bytes

Total Files Cleaned = 318.00 mb


[EMPTYFLASH]

User: All Users

User: Carl

User: Default User

User: LocalService

User: Mark

User: Mom & Dad
->Flash cache emptied: 0 bytes

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.17.3 log created on 11202010_113030

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

******END OTL Log******


The second OTL log is "OTL-Port Reboot Report". The results are as follows:

OTL logfile created on: 11/20/2010 11:35:43 AM - Run 2
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Mom & Dad\Desktop\Virus-Malware Apps\Windows Security
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 194.00 Mb Available Physical Memory | 38.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 50.79 Gb Total Space | 4.62 Gb Free Space | 9.10% Space Free | Partition Type: NTFS
Drive D: | 23.73 Gb Total Space | 22.38 Gb Free Space | 94.32% Space Free | Partition Type: FAT32
Drive K: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive L: | 3.74 Gb Total Space | 2.99 Gb Free Space | 79.97% Space Free | Partition Type: FAT32

Computer Name: BROWN-LANIER | User Name: Mom & Dad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/19 10:30:34 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mom & Dad\Desktop\Virus-Malware Apps\Windows Security\OTL.exe
PRC - [2010/10/11 12:58:12 | 006,104,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2010/10/11 12:58:12 | 000,725,072 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2010/10/08 10:21:30 | 000,750,920 | ---- | M] (AVG) -- C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
PRC - [2010/10/06 17:24:38 | 000,652,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe
PRC - [2010/10/06 17:24:36 | 001,065,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgnsx.exe
PRC - [2010/10/06 17:24:08 | 000,647,008 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe
PRC - [2010/09/28 21:33:02 | 002,407,632 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
PRC - [2010/09/15 05:29:10 | 002,745,696 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe
PRC - [2010/09/10 01:45:22 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe
PRC - [2010/09/07 03:50:22 | 001,047,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgemcx.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2010/11/19 10:30:34 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mom & Dad\Desktop\Virus-Malware Apps\Windows Security\OTL.exe
MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/10/11 12:58:12 | 006,104,656 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2010/10/06 11:31:48 | 000,517,448 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2010/09/10 01:45:22 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2010/09/13 16:27:24 | 000,025,680 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2010/09/07 03:49:00 | 000,298,448 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2010/09/07 03:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2010/09/07 03:48:54 | 000,249,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010/09/07 03:48:50 | 000,026,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2010/08/19 21:42:38 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2010/08/19 21:42:36 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/08/19 21:42:34 | 000,026,192 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/02/11 06:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2005/08/02 22:00:36 | 000,232,192 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
DRV - [2004/08/03 23:29:54 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/07/17 09:22:10 | 000,147,328 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\EL2K_XP.sys -- (EL2000)
DRV - [2002/09/19 20:53:34 | 000,235,100 | ---- | M] (Analog Devices Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.msn.com/"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1151
FF - prefs.js..extensions.enabledItems: avg@igeared:6.010.006.004
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..network.proxy.http: ""
FF - prefs.js..network.proxy.http_port: ""
FF - prefs.js..network.proxy.type: ""

FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG10\Firefox\ [2010/11/12 11:43:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\avg@igeared: C:\Program Files\AVG\AVG10\Toolbar\Firefox\avg@igeared [2010/11/12 11:45:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/19 17:01:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/20 11:12:26 | 000,000,000 | ---D | M]

[2010/01/25 19:28:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mom & Dad\Application Data\Mozilla\Extensions
[2010/01/25 19:28:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mom & Dad\Application Data\Mozilla\Firefox\Profiles\ve9mvbdr.default\extensions
[2010/11/20 11:12:28 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/20 11:12:28 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2003/03/31 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Advanced SystemCare 3] C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259281569481 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259282824843 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 69.1.30.43 69.1.30.42
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Mom & Dad\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Mom & Dad\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/11/26 17:21:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/04/25 19:32:50 | 000,000,090 | ---- | M] () - D:\AUTORUN.INF -- [ FAT32 ]
O32 - AutoRun File - [2008/05/06 06:26:23 | 000,000,309 | R--- | M] () - K:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/20 11:30:30 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/11/20 11:15:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/11/20 11:15:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/11/20 11:12:26 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/11/20 11:12:26 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/11/20 11:12:26 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/11/20 11:12:26 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/11/18 21:44:19 | 000,974,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42.dll
[2010/11/18 21:44:19 | 000,953,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll
[2010/11/18 21:43:50 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2010/11/18 21:43:31 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2010/11/18 21:42:18 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/11/18 21:40:20 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2010/11/18 17:51:00 | 001,339,480 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Mom & Dad\Desktop\TDSSKiller.exe
[2010/11/18 06:58:57 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2010/11/18 06:58:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Application Data\IObit
[2010/11/17 19:04:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Desktop\Virus-Malware Apps
[2010/11/17 01:09:55 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/11/16 23:42:20 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2010/11/16 20:49:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010/11/13 12:03:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Application Data\Malwarebytes
[2010/11/13 12:03:45 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/13 12:03:43 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/11/13 12:03:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/11/13 12:03:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/11/12 17:47:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\My Documents\Documents
[2010/11/12 15:45:49 | 000,000,000 | ---D | C] -- C:\Program Files\Free Window Registry Repair
[2010/11/12 15:20:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Local Settings\Application Data\PackageAware
[2010/11/12 14:59:32 | 015,633,288 | ---- | C] (PC Tools ) -- C:\Documents and Settings\Mom & Dad\Desktop\rminstall.exe
[2010/11/12 11:45:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/11/12 11:42:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\AVG
[2010/11/12 00:44:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2010/11/11 21:31:21 | 000,000,000 | ---D | C] -- C:\Program Files\MSN
[2010/11/11 21:31:11 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/11/11 21:30:44 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/11/11 18:09:59 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Mom & Dad\My Documents\My Videos
[2010/11/11 13:40:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8(2)
[2010/11/11 09:56:27 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/11/11 08:26:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Application Data\DivX
[2010/11/11 08:26:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\My Documents\DivX Movies
[2010/11/11 07:11:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\My Documents\Downloads
[2010/11/09 09:17:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Desktop\Carl
[2010/11/09 09:07:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Desktop\Mark
[2010/11/09 08:57:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Desktop\Desiree
[2010/11/09 06:45:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Local Settings\Application Data\AVG Security Toolbar
[2010/11/09 06:35:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Desktop\Courtney
[2010/11/08 21:25:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Application Data\AVG
[2010/11/08 20:15:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Application Data\AVG10
[2010/11/08 20:13:17 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2010/11/08 20:11:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2010/11/08 19:48:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/11/07 16:28:30 | 000,012,536 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx(2)(2).dll
[2010/11/06 13:03:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Local Settings\Application Data\Apple
[2010/11/06 12:51:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom & Dad\Application Data\U3

========== Files - Modified Within 30 Days ==========

[2010/11/20 11:32:57 | 000,000,396 | ---- | M] () -- C:\WINDOWS\tasks\AVG PC Tuneup 2011 Integrator Start On Windows Logon.job
[2010/11/20 11:32:55 | 000,013,738 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/20 11:32:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/20 11:14:26 | 099,708,865 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2010/11/19 19:00:00 | 000,000,262 | ---- | M] () -- C:\WINDOWS\tasks\RMSchedule.job
[2010/11/18 23:39:54 | 000,109,400 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/11/18 22:58:44 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/11/18 06:59:04 | 000,000,874 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
[2010/11/17 07:24:00 | 001,339,480 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Mom & Dad\Desktop\TDSSKiller.exe
[2010/11/13 12:03:48 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/12 15:45:51 | 000,000,718 | ---- | M] () -- C:\Documents and Settings\Mom & Dad\Desktop\Free Window Registry Repair.lnk
[2010/11/12 14:59:39 | 015,633,288 | ---- | M] (PC Tools ) -- C:\Documents and Settings\Mom & Dad\Desktop\rminstall.exe
[2010/11/11 06:41:17 | 000,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/11 06:41:17 | 000,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/08 21:00:40 | 000,000,830 | ---- | M] () -- C:\Documents and Settings\Mom & Dad\Desktop\AVG PC Tuneup 2011.lnk
[2010/11/07 17:28:09 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\Mom & Dad\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/11/07 16:28:30 | 000,012,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx(2)(2).dll
[2010/11/06 13:32:15 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Mom & Dad\Desktop\My Computer.lnk
[2010/11/06 12:15:16 | 000,003,071 | ---- | M] () -- C:\WINDOWS\Ascd_tmp.ini

========== Files Created - No Company Name ==========

[2010/11/20 11:14:26 | 099,708,865 | ---- | C] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2010/11/18 06:59:04 | 000,000,874 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
[2010/11/13 12:03:48 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/12 15:45:51 | 000,000,718 | ---- | C] () -- C:\Documents and Settings\Mom & Dad\Desktop\Free Window Registry Repair.lnk
[2010/11/12 15:02:37 | 000,000,262 | ---- | C] () -- C:\WINDOWS\tasks\RMSchedule.job
[2010/11/12 01:17:54 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Mom & Dad\S-1-5-21-1202660629-1482476501-839522115-1008.rrr.LOG
[2010/11/08 21:00:56 | 000,000,396 | ---- | C] () -- C:\WINDOWS\tasks\AVG PC Tuneup 2011 Integrator Start On Windows Logon.job
[2010/11/08 21:00:40 | 000,000,830 | ---- | C] () -- C:\Documents and Settings\Mom & Dad\Desktop\AVG PC Tuneup 2011.lnk
[2010/11/07 17:28:09 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\Mom & Dad\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/11/06 13:32:15 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Mom & Dad\Desktop\My Computer.lnk
[2009/12/01 18:38:30 | 000,003,071 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/12/01 18:38:29 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2009/11/26 09:02:02 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/10/22 12:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 12:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/22 12:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 12:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 12:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/22 12:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/22 12:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/10/22 12:22:00 | 000,000,862 | ---- | C] () -- C:\WINDOWS\System32\setup.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

< End of report >

Post OTL/ESET OnlineScan observations:

1. Figuring I no longer needed AVG PC Tuneup 2011 (because I don't want to purchase this product), I started to removed it using the "Add/Remove Program" feature. However, I received a warning message that stated I still had approximately 349 registry errors on my PC.

2. I noticed that my AVG main menu dialog screen schimmered when I activated it. I didn't run a virus scan; I just maximized the program from the Taskbar icon by the system clock. My computer screen went black briefly.

3. I also maximized the Advanced SystemCare program but didn't run it either. However, the same thing happened here as with AVG when I maximized its main menu screen; my computer screen went black briefly.

I'm not sure what's going on there, but these were the 3 things I noticed immediately after running the ESET OnlineScan.

Thanks again for your assistance. I'm not sure if our work is done just yet, but I'm standing by for your critique just in case.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users